How to Install Pure-FTPd with Let’s Encrypt

taken from: https://hostio.solutions/kb/how-to-install/pure-ftpd/

How to Install Pure-FTPd with Let’s Encrypt

If you manage multiple servers, it is super important to make backups yourself. Hosting providers often do offer backup services, however, it’s also important to have a back-up server elsewhere so that you always have access to your own data. This is especially useful when, for example, your hosting provider is completely offline.

In this “how to install” we’ll explain step by step how you can setup an FTP server with Pure-FTPd and how you can secure it with a certificate.

For this setup, we recommend that you use a dedicated server with Debian 10.

Step 1: Update server

Make sure that your Debian 10 server is up-to-date.

Step 2: Pure-FTPd installation

When your server is up-to-date, we can install the FTP server with Pure FTPd. For this, we use the following command:

apt-get install pure-ftpd

Step 3: Configuration and setup of Pure-FTPd

To ensure that everything runs properly, the following commands must be executed:

echo "yes" > /etc/pure-ftpd/conf/Daemonize
echo "yes" > /etc/pure-ftpd/conf/NoAnonymous
echo "yes" > /etc/pure-ftpd/conf/ChrootEveryone
echo "2" > /etc/pure-ftpd/conf/TLS

We recommend setting your FTP to IPv4 only, as the performance of IPv6 is not the same for every provider. You can do this by using the following command:

echo "yes" > /etc/pure-ftpd/conf/IPV4Only

Now we are going to set the config. Out of experience we know that the following works best:

We start with deleting the existing config. To do this, you can use the following command:

rm -rf /etc/pure-ftpd/pure-ftpd.conf

Now that we’ve deleted the existing config, we can complete the config file with our settings. Open the pure-ftpd.conf.

nano /etc/pure-ftpd/pure-ftpd.conf

Now that we have the text editor open, you can copy & paste the following:

ChrootEveryone               		yes
BrokenClientsCompatibility no
MaxClientsNumber 50
Daemonize yes
MaxClientsPerIP 8
VerboseLog no
DisplayDotFiles yes
AnonymousOnly no
NoAnonymous no
SyslogFacility ftp
DontResolve yes
MaxIdleTime 15
LimitRecursion 10000
AnonymousCanCreateDirs no
MaxLoad 4
AntiWarez yes
Umask 133:022
MinUID 100
AllowUserFXP no
AllowAnonymousFXP no
ProhibitDotFilesWrite no
ProhibitDotFilesRead no
AutoRename no
AnonymousCantUpload no
MaxDiskUsage 99
CustomerProof yes
CertFile /etc/ssl/private/pure-ftpd.pem

Everything is now set up and configured.

Step 4: Secure the FTP server with Let’s Encrypt.

It’s important to make sure that you’re using a secure connection for your FTP traffic.

If you want to use an SSL/TLS, we first need to create the folder for it. The certificate will be placed in this folder. To do this, you can use the following command:

mkdir -p /etc/ssl/pure-ftpd

Secure your FTP server with the SSL of Let’s Encrypt

In order to use Let’s Encrypt we first have to install Certbot.

apt-get install certbot

Now that we have done the installation, it is time to request an SSL. Make sure you have a hostname and A record for your server and go through all the steps of certbot.

certbot certonly --standalone

Now we are going to merge the created Let’s Encrypt certificate files. We do this with the following command:

cat /etc/letsencrypt/live/*/privkey.pem /etc/letsencrypt/live/*/fullchain.pem > /etc/ssl/private/pure-ftpd.pem

After we’ve merged the certificates, we have to make sure that the renewed SSL is automatically merged via cronob:

nano /etc/cron.d/certbot

If all goes well, the last line should say:

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

Now we have to add the following to the last line:

&& cat /etc/letsencrypt/live/*/privkey.pem /etc/letsencrypt/live/*/fullchain.pem > /etc/ssl/private/pure-ftpd.pem

It should then look as follows:

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew && cat /etc/letsencrypt/live/*/privkey.pem /etc/letsencrypt/live/*/fullchain.pem > /etc/ssl/private/pure-ftpd.pem

If all went well, we can restart Pure-FTPd with the following command:

service pure-ftpd restart

Step 5: create user(s)

There are two ways: create a user with SSH access or create a user without SSH access and set a storage limit.

For every account that is created, a home profile is created at /home.

Easy way to create user(s)

Use the following command to easily create an user:

adduser USERNAME

After entering this command, you can set your password. After having set the password, everything will be ready for this user and a profile will be created on /home/username.

Create user with extra options

If you want to create a user with extra options, we first have to create a user group for FTP users without SSH access.

groupadd ftpgroup

Now we can create the user:

useradd -g ftpgroup -d /dev/null -s /etc USERNAME 

pure-pw useradd USERNAME -u USERNAME -g ftpgroup -d /home/USERNAME

If you want to give the user a storage limit you can add: -N 1000.
This gives the user a storage limit of 1000MB.

Example of the command with a storage limit of 1000 MB:

pure-pw useradd USERNAME -u ftpuser -g ftpgroup -d /home/USERNAME -N 1000

Now we have to create the directory for the FTP user with the following command:

mkdir /home/USERNAME

chown -R USERNAME:ftpgroup /home/USERNAME

The next step is to update the Pure-FTPd database. You can do this with the following command:

pure-pw mkdb

ln -s /etc/pure-ftpd/pureftpd.passwd /etc/pureftpd.passwd

ln -s /etc/pure-ftpd/pureftpd.pdb /etc/pureftpd.pdb

ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/PureDB

Finally, we have to restart the Pure-FTPd:

service pure-ftpd restart

Every time you make changes to a user, the database must be updated:

pure-pw mkdb

Do you want to change the password for an FTP user? Then you can use the following command:

pure-pw passwd USERNAME

I